How to Create and Deploy OMA DM Policy with SCCM Current Branch and Intune Hybrid

First of all, what is OMA-DM? Open Mobile Alliance(OMA) Device Management(DM) is a device management protocol used by modern management tools to manage the modern day devices. OMA DM supports Provisioning, Device Configuration, Software Upgrades and Fault Management of devices. Windows 10 1511 comes with loads of device management capabilities with OMA-DM. We can create custom OMA DM policies in SCCM/ConfigMgr Current Branch 1511 and deploy it ONLY to Intune MDM clients. OMA-DM management capabilities are NOT opened for SCCM/ConfigMgr fully managed clients, rather it’s opened only for MDM channels. More details about OMA DM and Windows 10 policies here.

How to create Custom OMA DM policy to Deny Time and Date changes on Windows 10 Devices with SCCM Current Branch (CB)?

Open SCCM/ConfigMgr CB console and browse through “\Assets and Compliance\Overview\Compliance Settings\Configuration Items” and create a new Configuration Item called “OMA DM Custom Compliance Policy“. Select the option “Settings for Devices Managed Without Configuration Manager Client” and click Next.

Complete the Wizard just clicking Next, Next, Next (default settings) and Finish.

Right click on the SCCM CB Configuration Itemwhich we created and go to properties.

Click on SETTINGStab and click on New settings button.

Create New settings window and select setting typeOMA URI, Data TypeInteger and OMA-URI – ./Vendor/MSFT/Policy/Config/Settings/AllowDateTime. With this setting and remediation rule we can disable the time setting in Windows 10 MDM client.

URI full path: ./Vendor/MSFT/Policy/Config/Settings/AllowDateTime

Data type: Integer

Allowed values:

0 – not allowed

1 – allowed

Default value: 1

Click on Compliance Rules and create one new compliance rule. Also specify the remediation rules.

Specify Rules to define compliance conditions for this settings:- Specific SCCM CI compliance rule type is equal value and Remediation rule has been set to rectify the non compliant devices.

Now Create Baseline for the SCCM Configuration Item we have created with OMA DM setting. Right click on the Configuration Baselinesand select on create configuration baseline (SCCM Path :- \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines).

On SCCM Configuration Baseline window, Type in the name of the baseline“Deny Date and Time Using OMA DM”. Select the Configuration Item which we created in the above session called OMA DM Custom Compliance Policy.

Now it’s time to Deploy the SCCM Configuration Baselinewhich we created. Right click on Baseline and select Deploy.

Deploy the SCCM Configuration Baseline to user collection “Test Users“. Also, we canschedule the deploymentfor the MDM devices. I normally stick with default schedule and that is 7 days.

Once deployment is created we can see the compliance status and deployment start time etc…

We can check the status of the SCCM Configuration Baseline from Monitoring Workspace (\Monitoring\Overview\Deployments). In this scenario, we got a report back from Windows 10 1511 MDM client that the device is noncompliance.

This is a non compliant device however it’s not getting remediated. The remediation check mark was missed in the deployment options. We enabled the remediation and the remediation started working.

The end result of the Deny the change of Date and Time settings in Windows 10 :- OMA DM compliance policy works well in this scenario.

Some Stuff about troubleshooting of Windows 10 OMA DM related configuration and policy errors. There is no log files related lightweight MDM clients for Intune and SCCM CB. However more details are available in event logs Microsoft / Windows / DeviceManagement-Enterprise-Diagnostics-Provider/Admin.

Some of the sample event logs related to the deployment failures of the SCCM CB OMA DM Configuration Baseline.

Another important piece of work along with OMA DM is configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. The configuration service providers (CSP) used to manage registry keys over the air or by using an application. More details here and here.

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 16 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

EDITOR'S PICK

Hi, I’m Anoop C Nair. I’m the person behind this website. Thank you for visiting the website and about me page! My website is all about Microsoft technologies. More about ConfigMgr (a.k.a SCCM), Intune, Mobile Device Management and all other technologies which are interesting for me. Read more about me here